upvote

points

by ralusek12 hours ago |
comments
upvoteby eurleif12 hours ago|
next
[-]
The part you may be missing is that cookies exist.

User visits A.com, types in their username and password, and a cookie is set in their browser. The browser will send that cookie back to A.com with all subsequent requests, and A.com's server will use it to enable access to the user's account.

Now the user visits B.com, which makes a request to A.com/private_user_data. The user's cookie is sent with this request, so A.com will respond with (and B.com will receive) the user's private data without the user consenting to this at all (not even in a "misguided" way).

reply
upvoteby xigoi2 hours ago|
parent|
[-]
Why not just not send cookies instead of blocking the request completely?
reply
upvoteby 9dev11 hours ago|
prev|
[-]
> […] the browser prevents itself from making the call.

That's not strictly correct, by the way. The request is made, but the JavaScript code on Domain A is not allowed to read the response. This matters when a request is destructive on its own, for example.

reply
upvoteby eurleif11 hours ago|
parent|
next
[-]
To go even deeper into the weeds: this is only true of "simple" requests[0]. Requests that aren't "simple" always require preflight approval. This is based on which requests a <form> or link could already create without approval; since the dawn of time, <form method="post"> could submit a potentially-destructive request, and sites needed to protect themselves against that via XSRF tokens; so CORS could allow submiting the same class of requests without preflight approval, and not introduce any new attacks. But there's no <form method="delete">, for example, so CORS would have created attacks against previously-secure sites if it had allowed DELETE requests without preflight approval.

[0] https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/COR...

reply
upvoteby ralusek5 hours ago|
parent|
prev|
[-]
My understanding was it was an OPTIONS preflight request that is made.
reply
upvoteby 9dev5 hours ago|
parent|
[-]
Only for complex requests, and even then - a naive implementation of a web application that executes actions on GET requests might do the same for a HEAD request too.
reply